2003-12-01 04:41:38 +03:00
/*
Unix SMB / CIFS implementation .
test suite for netlogon rpc operations
Copyright ( C ) Andrew Tridgell 2003
2004-05-09 16:42:18 +04:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2003 - 2004
Copyright ( C ) Tim Potter 2003
2003-12-01 04:41:38 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2005-02-03 14:56:03 +03:00
# include "lib/events/events.h"
2004-11-01 13:30:34 +03:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2004-11-02 05:57:18 +03:00
# include "auth/auth.h"
2005-03-22 11:00:45 +03:00
# include "lib/cmdline/popt_common.h"
2003-12-01 04:41:38 +03:00
2004-06-06 11:14:10 +04:00
static const char * machine_password ;
2004-05-15 11:51:38 +04:00
2004-06-06 11:14:10 +04:00
# define TEST_MACHINE_NAME "torturetest"
2004-04-27 10:36:39 +04:00
2003-12-01 04:41:38 +03:00
static BOOL test_LogonUasLogon ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonUasLogon r ;
r . in . server_name = NULL ;
2005-09-22 05:50:58 +04:00
r . in . account_name = cli_credentials_get_username ( cmdline_credentials ) ;
2004-04-27 10:36:39 +04:00
r . in . workstation = TEST_MACHINE_NAME ;
2003-12-01 04:41:38 +03:00
2003-12-01 12:28:10 +03:00
printf ( " Testing LogonUasLogon \n " ) ;
2003-12-01 06:19:43 +03:00
2003-12-01 04:41:38 +03:00
status = dcerpc_netr_LogonUasLogon ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonUasLogon - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
return True ;
}
2003-12-01 06:19:43 +03:00
static BOOL test_LogonUasLogoff ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonUasLogoff r ;
r . in . server_name = NULL ;
2005-09-22 05:50:58 +04:00
r . in . account_name = cli_credentials_get_username ( cmdline_credentials ) ;
2004-04-27 10:36:39 +04:00
r . in . workstation = TEST_MACHINE_NAME ;
2003-12-01 06:19:43 +03:00
2003-12-01 12:28:10 +03:00
printf ( " Testing LogonUasLogoff \n " ) ;
2003-12-01 06:19:43 +03:00
status = dcerpc_netr_LogonUasLogoff ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonUasLogoff - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
return True ;
}
2005-05-16 00:16:26 +04:00
static BOOL test_SetupCredentials ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
2004-11-11 07:32:01 +03:00
const char * machine_name ,
const char * plain_pass ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * * creds_out )
2003-12-01 06:19:43 +03:00
{
NTSTATUS status ;
struct netr_ServerReqChallenge r ;
2003-12-01 07:13:43 +03:00
struct netr_ServerAuthenticate a ;
2004-05-30 17:15:15 +04:00
struct netr_Credential credentials1 , credentials2 , credentials3 ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-06-05 07:22:10 +04:00
struct samr_Password mach_password ;
2003-12-01 06:19:43 +03:00
2003-12-01 12:28:10 +03:00
printf ( " Testing ServerReqChallenge \n " ) ;
2003-12-01 06:19:43 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds = talloc ( mem_ctx , struct creds_CredentialState ) ;
if ( ! creds ) {
return False ;
}
2003-12-01 06:19:43 +03:00
r . in . server_name = NULL ;
2004-11-11 07:32:01 +03:00
r . in . computer_name = machine_name ;
2004-05-30 17:15:15 +04:00
r . in . credentials = & credentials1 ;
r . out . credentials = & credentials2 ;
2004-07-14 16:14:07 +04:00
generate_random_buffer ( credentials1 . data , sizeof ( credentials1 . data ) ) ;
2003-12-01 06:19:43 +03:00
status = dcerpc_netr_ServerReqChallenge ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerReqChallenge - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2004-06-05 07:22:10 +04:00
E_md4hash ( plain_pass , mach_password . hash ) ;
2003-12-01 07:13:43 +03:00
a . in . server_name = NULL ;
2004-11-11 07:32:01 +03:00
a . in . account_name = talloc_asprintf ( mem_ctx , " %s$ " , machine_name ) ;
2003-12-02 14:43:09 +03:00
a . in . secure_channel_type = SEC_CHAN_BDC ;
2004-11-11 07:32:01 +03:00
a . in . computer_name = machine_name ;
2004-05-30 17:15:15 +04:00
a . in . credentials = & credentials3 ;
a . out . credentials = & credentials3 ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_init ( creds , & credentials1 , & credentials2 ,
& mach_password , & credentials3 ,
2004-11-11 07:32:01 +03:00
0 ) ;
2003-12-01 12:28:10 +03:00
printf ( " Testing ServerAuthenticate \n " ) ;
2003-12-01 07:13:43 +03:00
status = dcerpc_netr_ServerAuthenticate ( p , mem_ctx , & a ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerAuthenticate - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2004-05-30 17:15:15 +04:00
if ( ! creds_client_check ( creds , & credentials3 ) ) {
2003-12-01 15:41:54 +03:00
printf ( " Credential chaining failed \n " ) ;
2003-12-02 01:13:11 +03:00
return False ;
2003-12-01 12:28:10 +03:00
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
* creds_out = creds ;
2003-12-02 03:31:54 +03:00
return True ;
}
2005-05-16 00:16:26 +04:00
static BOOL test_SetupCredentials2 ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
2004-11-11 07:32:01 +03:00
uint32_t negotiate_flags ,
const char * machine_name ,
const char * plain_pass ,
2005-01-09 10:39:31 +03:00
int sec_chan_type ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * * creds_out )
2003-12-02 14:43:09 +03:00
{
NTSTATUS status ;
struct netr_ServerReqChallenge r ;
struct netr_ServerAuthenticate2 a ;
2004-05-30 17:15:15 +04:00
struct netr_Credential credentials1 , credentials2 , credentials3 ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-06-05 07:22:10 +04:00
struct samr_Password mach_password ;
2003-12-02 14:43:09 +03:00
printf ( " Testing ServerReqChallenge \n " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds = talloc ( mem_ctx , struct creds_CredentialState ) ;
if ( ! creds ) {
return False ;
}
2003-12-02 14:43:09 +03:00
r . in . server_name = NULL ;
2004-11-11 07:32:01 +03:00
r . in . computer_name = machine_name ;
2004-05-30 17:15:15 +04:00
r . in . credentials = & credentials1 ;
r . out . credentials = & credentials2 ;
2004-07-14 16:14:07 +04:00
generate_random_buffer ( credentials1 . data , sizeof ( credentials1 . data ) ) ;
2003-12-02 14:43:09 +03:00
status = dcerpc_netr_ServerReqChallenge ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerReqChallenge - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2004-06-05 07:22:10 +04:00
E_md4hash ( plain_pass , mach_password . hash ) ;
2003-12-02 14:43:09 +03:00
a . in . server_name = NULL ;
2004-11-11 07:32:01 +03:00
a . in . account_name = talloc_asprintf ( mem_ctx , " %s$ " , machine_name ) ;
2005-01-09 10:39:31 +03:00
a . in . secure_channel_type = sec_chan_type ;
2004-11-11 07:32:01 +03:00
a . in . computer_name = machine_name ;
2003-12-02 14:43:09 +03:00
a . in . negotiate_flags = & negotiate_flags ;
a . out . negotiate_flags = & negotiate_flags ;
2004-05-30 17:15:15 +04:00
a . in . credentials = & credentials3 ;
a . out . credentials = & credentials3 ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_init ( creds , & credentials1 , & credentials2 ,
& mach_password , & credentials3 ,
2004-06-04 03:15:16 +04:00
negotiate_flags ) ;
2003-12-02 14:43:09 +03:00
printf ( " Testing ServerAuthenticate2 \n " ) ;
status = dcerpc_netr_ServerAuthenticate2 ( p , mem_ctx , & a ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerAuthenticate2 - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2004-05-30 17:15:15 +04:00
if ( ! creds_client_check ( creds , & credentials3 ) ) {
printf ( " Credential chaining failed \n " ) ;
return False ;
}
printf ( " negotiate_flags=0x%08x \n " , negotiate_flags ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
* creds_out = creds ;
2004-05-30 17:15:15 +04:00
return True ;
}
2005-05-16 00:16:26 +04:00
static BOOL test_SetupCredentials3 ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
2004-11-11 07:32:01 +03:00
uint32_t negotiate_flags ,
const char * machine_name ,
const char * plain_pass ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * * creds_out )
2004-05-30 17:15:15 +04:00
{
NTSTATUS status ;
struct netr_ServerReqChallenge r ;
struct netr_ServerAuthenticate3 a ;
struct netr_Credential credentials1 , credentials2 , credentials3 ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-06-05 07:22:10 +04:00
struct samr_Password mach_password ;
2005-02-10 08:09:35 +03:00
uint32_t rid ;
2004-05-30 17:15:15 +04:00
printf ( " Testing ServerReqChallenge \n " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds = talloc ( mem_ctx , struct creds_CredentialState ) ;
if ( ! creds ) {
return False ;
}
2004-05-30 17:15:15 +04:00
r . in . server_name = NULL ;
2004-11-11 07:32:01 +03:00
r . in . computer_name = machine_name ;
2004-05-30 17:15:15 +04:00
r . in . credentials = & credentials1 ;
r . out . credentials = & credentials2 ;
2004-06-04 03:15:16 +04:00
2004-07-14 16:14:07 +04:00
generate_random_buffer ( credentials1 . data , sizeof ( credentials1 . data ) ) ;
2004-05-30 17:15:15 +04:00
status = dcerpc_netr_ServerReqChallenge ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerReqChallenge - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2004-06-05 07:22:10 +04:00
E_md4hash ( plain_pass , mach_password . hash ) ;
2004-05-30 17:15:15 +04:00
a . in . server_name = NULL ;
2004-11-11 07:32:01 +03:00
a . in . account_name = talloc_asprintf ( mem_ctx , " %s$ " , machine_name ) ;
2004-05-30 17:15:15 +04:00
a . in . secure_channel_type = SEC_CHAN_BDC ;
2004-11-11 07:32:01 +03:00
a . in . computer_name = machine_name ;
2004-05-30 17:15:15 +04:00
a . in . negotiate_flags = & negotiate_flags ;
a . in . credentials = & credentials3 ;
a . out . credentials = & credentials3 ;
a . out . negotiate_flags = & negotiate_flags ;
a . out . rid = & rid ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_init ( creds , & credentials1 , & credentials2 ,
& mach_password , & credentials3 ,
2004-06-04 03:15:16 +04:00
negotiate_flags ) ;
2004-05-30 17:15:15 +04:00
printf ( " Testing ServerAuthenticate3 \n " ) ;
status = dcerpc_netr_ServerAuthenticate3 ( p , mem_ctx , & a ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerAuthenticate3 - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
if ( ! creds_client_check ( creds , & credentials3 ) ) {
2003-12-02 14:43:09 +03:00
printf ( " Credential chaining failed \n " ) ;
return False ;
}
printf ( " negotiate_flags=0x%08x \n " , negotiate_flags ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
* creds_out = creds ;
2003-12-02 14:43:09 +03:00
return True ;
}
2003-12-02 03:31:54 +03:00
/*
try a change password for our machine account
*/
static BOOL test_SetPassword ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_ServerPasswordSet r ;
const char * password ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2003-12-02 03:31:54 +03:00
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME ,
machine_password , & creds ) ) {
2003-12-02 03:31:54 +03:00
return False ;
}
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2004-06-05 07:22:10 +04:00
r . in . account_name = talloc_asprintf ( mem_ctx , " %s$ " , TEST_MACHINE_NAME ) ;
2003-12-02 14:43:09 +03:00
r . in . secure_channel_type = SEC_CHAN_BDC ;
2004-04-27 10:36:39 +04:00
r . in . computer_name = TEST_MACHINE_NAME ;
2003-12-02 03:31:54 +03:00
2004-05-15 11:51:38 +04:00
password = generate_random_str ( mem_ctx , 8 ) ;
2004-06-04 15:58:46 +04:00
E_md4hash ( password , r . in . new_password . hash ) ;
2003-12-02 03:31:54 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_des_encrypt ( creds , & r . in . new_password ) ;
2003-12-02 03:31:54 +03:00
printf ( " Testing ServerPasswordSet on machine account \n " ) ;
2004-05-15 11:51:38 +04:00
printf ( " Changing machine account password to '%s' \n " , password ) ;
2003-12-02 03:31:54 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 05:15:33 +03:00
2003-12-02 03:31:54 +03:00
status = dcerpc_netr_ServerPasswordSet ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerPasswordSet - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2003-12-02 05:15:33 +03:00
printf ( " Credential chaining failed \n " ) ;
}
2004-05-22 11:55:48 +04:00
/* by changing the machine password twice we test the
credentials chaining fully , and we verify that the server
allows the password to be set to the same value twice in a
row ( match win2k3 ) */
2003-12-02 05:15:33 +03:00
printf ( " Testing a second ServerPasswordSet on machine account \n " ) ;
2004-08-25 05:58:08 +04:00
printf ( " Changing machine account password to '%s' (same as previous run) \n " , password ) ;
2003-12-02 05:15:33 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 05:15:33 +03:00
status = dcerpc_netr_ServerPasswordSet ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2004-05-15 11:51:38 +04:00
printf ( " ServerPasswordSet (2) - %s \n " , nt_errstr ( status ) ) ;
2003-12-02 05:15:33 +03:00
return False ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2003-12-01 15:41:54 +03:00
printf ( " Credential chaining failed \n " ) ;
}
2004-06-06 11:14:10 +04:00
machine_password = password ;
2004-05-15 11:51:38 +04:00
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
2004-05-16 13:43:19 +04:00
printf ( " ServerPasswordSet failed to actually change the password \n " ) ;
return False ;
}
2003-12-01 06:19:43 +03:00
return True ;
}
2005-01-12 10:22:34 +03:00
/*
try a change password for our machine account
*/
static BOOL test_SetPassword2 ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_ServerPasswordSet2 r ;
const char * password ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2005-03-24 09:30:38 +03:00
struct samr_CryptPassword password_buf ;
2005-01-12 10:22:34 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME ,
machine_password , & creds ) ) {
return False ;
}
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . account_name = talloc_asprintf ( mem_ctx , " %s$ " , TEST_MACHINE_NAME ) ;
r . in . secure_channel_type = SEC_CHAN_BDC ;
r . in . computer_name = TEST_MACHINE_NAME ;
2005-03-24 09:30:38 +03:00
password = generate_random_str ( mem_ctx , 8 ) ;
encode_pw_buffer ( password_buf . data , password , STR_UNICODE ) ;
creds_arcfour_crypt ( creds , password_buf . data , 516 ) ;
memcpy ( r . in . new_password . data , password_buf . data , 512 ) ;
r . in . new_password . length = IVAL ( password_buf . data , 512 ) ;
2005-01-12 13:49:52 +03:00
2005-03-24 09:30:38 +03:00
printf ( " Testing ServerPasswordSet2 on machine account \n " ) ;
2005-01-12 13:49:52 +03:00
printf ( " Changing machine account password to '%s' \n " , password ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2005-01-12 13:49:52 +03:00
status = dcerpc_netr_ServerPasswordSet2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-24 09:30:38 +03:00
printf ( " ServerPasswordSet2 - %s \n " , nt_errstr ( status ) ) ;
2005-01-12 13:49:52 +03:00
return False ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2005-01-12 13:49:52 +03:00
printf ( " Credential chaining failed \n " ) ;
}
machine_password = password ;
2005-04-11 02:23:02 +04:00
if ( ! lp_parm_bool ( - 1 , " torture " , " dangerous " , False ) ) {
printf ( " Not testing ability to set password to '', enable dangerous tests to perform this test \n " ) ;
} else {
/* by changing the machine password to ""
* we check if the server uses password restrictions
* for ServerPasswordSet2
* ( win2k3 accepts " " )
*/
password = " " ;
encode_pw_buffer ( password_buf . data , password , STR_UNICODE ) ;
creds_arcfour_crypt ( creds , password_buf . data , 516 ) ;
memcpy ( r . in . new_password . data , password_buf . data , 512 ) ;
r . in . new_password . length = IVAL ( password_buf . data , 512 ) ;
printf ( " Testing ServerPasswordSet2 on machine account \n " ) ;
printf ( " Changing machine account password to '%s' \n " , password ) ;
creds_client_authenticator ( creds , & r . in . credential ) ;
status = dcerpc_netr_ServerPasswordSet2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " ServerPasswordSet2 - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
printf ( " Credential chaining failed \n " ) ;
}
machine_password = password ;
}
2005-01-12 13:49:52 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
printf ( " ServerPasswordSet failed to actually change the password \n " ) ;
return False ;
}
/* now try a random password */
2005-01-12 10:22:34 +03:00
password = generate_random_str ( mem_ctx , 8 ) ;
2005-03-24 09:30:38 +03:00
encode_pw_buffer ( password_buf . data , password , STR_UNICODE ) ;
creds_arcfour_crypt ( creds , password_buf . data , 516 ) ;
2005-01-12 10:22:34 +03:00
2005-03-24 09:30:38 +03:00
memcpy ( r . in . new_password . data , password_buf . data , 512 ) ;
r . in . new_password . length = IVAL ( password_buf . data , 512 ) ;
printf ( " Testing second ServerPasswordSet2 on machine account \n " ) ;
2005-01-12 10:22:34 +03:00
printf ( " Changing machine account password to '%s' \n " , password ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2005-01-12 10:22:34 +03:00
status = dcerpc_netr_ServerPasswordSet2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-24 09:30:38 +03:00
printf ( " ServerPasswordSet2 (2) - %s \n " , nt_errstr ( status ) ) ;
2005-01-12 10:22:34 +03:00
return False ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2005-01-12 10:22:34 +03:00
printf ( " Credential chaining failed \n " ) ;
}
/* by changing the machine password twice we test the
credentials chaining fully , and we verify that the server
allows the password to be set to the same value twice in a
row ( match win2k3 ) */
printf ( " Testing a second ServerPasswordSet2 on machine account \n " ) ;
printf ( " Changing machine account password to '%s' (same as previous run) \n " , password ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2005-01-12 10:22:34 +03:00
status = dcerpc_netr_ServerPasswordSet2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-24 09:30:38 +03:00
printf ( " ServerPasswordSet (3) - %s \n " , nt_errstr ( status ) ) ;
2005-01-12 10:22:34 +03:00
return False ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2005-01-12 10:22:34 +03:00
printf ( " Credential chaining failed \n " ) ;
}
machine_password = password ;
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
printf ( " ServerPasswordSet failed to actually change the password \n " ) ;
return False ;
}
return True ;
}
2004-11-12 02:24:30 +03:00
/*
try a netlogon SamLogon
*/
2005-10-26 09:56:44 +04:00
BOOL test_netlogon_ops ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
struct cli_credentials * credentials ,
struct creds_CredentialState * creds )
2004-11-12 02:24:30 +03:00
{
NTSTATUS status ;
struct netr_LogonSamLogon r ;
struct netr_Authenticator auth , auth2 ;
struct netr_NetworkInfo ninfo ;
2005-10-26 09:56:44 +04:00
DATA_BLOB names_blob , chal , lm_resp , nt_resp ;
2004-11-12 02:24:30 +03:00
int i ;
BOOL ret = True ;
2005-10-26 09:56:44 +04:00
int flags = CLI_CRED_NTLM_AUTH ;
if ( lp_client_lanman_auth ( ) ) {
flags | = CLI_CRED_LANMAN_AUTH ;
}
2004-11-12 02:24:30 +03:00
2005-10-26 09:56:44 +04:00
if ( lp_client_ntlmv2_auth ( ) ) {
flags | = CLI_CRED_NTLMv2_AUTH ;
}
cli_credentials_get_ntlm_username_domain ( cmdline_credentials , mem_ctx ,
& ninfo . identity_info . account_name . string ,
& ninfo . identity_info . domain_name . string ) ;
generate_random_buffer ( ninfo . challenge ,
sizeof ( ninfo . challenge ) ) ;
chal = data_blob_const ( ninfo . challenge ,
sizeof ( ninfo . challenge ) ) ;
names_blob = NTLMv2_generate_names_blob ( mem_ctx , cli_credentials_get_workstation ( credentials ) ,
cli_credentials_get_domain ( credentials ) ) ;
status = cli_credentials_get_ntlm_response ( cmdline_credentials , mem_ctx ,
& flags ,
chal ,
names_blob ,
& lm_resp , & nt_resp ,
NULL , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " cli_credentials_get_ntlm_response failed: %s \n " ,
nt_errstr ( status ) ) ;
2004-11-12 02:24:30 +03:00
return False ;
}
2005-10-26 09:56:44 +04:00
ninfo . lm . data = lm_resp . data ;
ninfo . lm . length = lm_resp . length ;
ninfo . nt . data = nt_resp . data ;
ninfo . nt . length = nt_resp . length ;
2004-11-12 02:24:30 +03:00
ninfo . identity_info . parameter_control = 0 ;
ninfo . identity_info . logon_id_low = 0 ;
ninfo . identity_info . logon_id_high = 0 ;
2005-10-26 09:56:44 +04:00
ninfo . identity_info . workstation . string = cli_credentials_get_workstation ( credentials ) ;
2004-11-12 02:24:30 +03:00
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2005-10-26 09:56:44 +04:00
r . in . workstation = cli_credentials_get_workstation ( credentials ) ;
2004-11-12 02:24:30 +03:00
r . in . credential = & auth ;
r . in . return_authenticator = & auth2 ;
r . in . logon_level = 2 ;
r . in . logon . network = & ninfo ;
2005-10-26 09:56:44 +04:00
printf ( " Testing LogonSamLogon with name %s \n " , ninfo . identity_info . account_name . string ) ;
for ( i = 2 ; i < 3 ; i + + ) {
2004-11-12 02:24:30 +03:00
ZERO_STRUCT ( auth2 ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & auth ) ;
2005-10-26 09:56:44 +04:00
2004-11-12 02:24:30 +03:00
r . in . validation_level = i ;
2005-10-26 09:56:44 +04:00
2004-11-12 02:24:30 +03:00
status = dcerpc_netr_LogonSamLogon ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-10-26 09:56:44 +04:00
printf ( " LogonSamLogon failed: %s \n " ,
nt_errstr ( status ) ) ;
return False ;
2004-11-12 02:24:30 +03:00
}
2005-10-26 09:56:44 +04:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator - > cred ) ) {
2004-11-12 02:24:30 +03:00
printf ( " Credential chaining failed \n " ) ;
2005-10-26 09:56:44 +04:00
ret = False ;
2004-11-12 02:24:30 +03:00
}
2005-10-26 09:56:44 +04:00
2004-11-12 02:24:30 +03:00
}
2005-01-03 09:23:02 +03:00
r . in . credential = NULL ;
for ( i = 2 ; i < = 3 ; i + + ) {
r . in . validation_level = i ;
printf ( " Testing SamLogon with validation level %d \n " , i ) ;
status = dcerpc_netr_LogonSamLogon ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_INVALID_PARAMETER ) ) {
printf ( " LogonSamLogon expected INVALID_PARAMETER, got: %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
2005-10-26 09:56:44 +04:00
2004-11-12 02:24:30 +03:00
return ret ;
}
2005-10-26 09:56:44 +04:00
/*
try a netlogon SamLogon
*/
static BOOL test_SamLogon ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
struct cli_credentials * credentials )
{
struct creds_CredentialState * creds ;
if ( ! test_SetupCredentials ( p , mem_ctx , cli_credentials_get_workstation ( credentials ) ,
cli_credentials_get_password ( credentials ) , & creds ) ) {
return False ;
}
return test_netlogon_ops ( p , mem_ctx , credentials , creds ) ;
}
2003-12-02 11:04:37 +03:00
/* we remember the sequence numbers so we can easily do a DatabaseDelta */
2004-05-25 17:57:39 +04:00
static uint64_t sequence_nums [ 3 ] ;
2003-12-02 11:04:37 +03:00
2003-12-02 06:06:21 +03:00
/*
try a netlogon DatabaseSync
*/
static BOOL test_DatabaseSync ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_DatabaseSync r ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-11-12 02:24:30 +03:00
const uint32_t database_ids [ ] = { SAM_DATABASE_DOMAIN , SAM_DATABASE_BUILTIN , SAM_DATABASE_PRIVS } ;
2003-12-02 07:33:57 +03:00
int i ;
BOOL ret = True ;
2003-12-02 06:06:21 +03:00
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
2003-12-02 06:06:21 +03:00
return False ;
}
2003-12-02 13:34:06 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2004-04-27 10:36:39 +04:00
r . in . computername = TEST_MACHINE_NAME ;
2004-05-25 20:24:13 +04:00
r . in . preferredmaximumlength = ( uint32_t ) - 1 ;
2003-12-02 07:33:57 +03:00
ZERO_STRUCT ( r . in . return_authenticator ) ;
2003-12-02 06:06:21 +03:00
2003-12-02 07:33:57 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( database_ids ) ; i + + ) {
2003-12-02 07:59:18 +03:00
r . in . sync_context = 0 ;
2003-12-02 07:33:57 +03:00
r . in . database_id = database_ids [ i ] ;
2003-12-02 06:06:21 +03:00
2003-12-02 07:33:57 +03:00
printf ( " Testing DatabaseSync of id %d \n " , r . in . database_id ) ;
2003-12-02 06:06:21 +03:00
2003-12-02 07:33:57 +03:00
do {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 07:33:57 +03:00
status = dcerpc_netr_DatabaseSync ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) & &
! NT_STATUS_EQUAL ( status , STATUS_MORE_ENTRIES ) ) {
printf ( " DatabaseSync - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
break ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2003-12-02 07:33:57 +03:00
printf ( " Credential chaining failed \n " ) ;
}
r . in . sync_context = r . out . sync_context ;
2003-12-02 11:04:37 +03:00
if ( r . out . delta_enum_array & &
r . out . delta_enum_array - > num_deltas > 0 & &
2004-11-12 02:24:30 +03:00
r . out . delta_enum_array - > delta_enum [ 0 ] . delta_type = = NETR_DELTA_DOMAIN & &
2003-12-02 11:04:37 +03:00
r . out . delta_enum_array - > delta_enum [ 0 ] . delta_union . domain ) {
sequence_nums [ r . in . database_id ] =
r . out . delta_enum_array - > delta_enum [ 0 ] . delta_union . domain - > sequence_num ;
2004-05-25 17:57:39 +04:00
printf ( " \t sequence_nums[%d]=%llu \n " ,
2003-12-02 11:04:37 +03:00
r . in . database_id ,
2005-09-16 11:10:11 +04:00
( unsigned long long ) sequence_nums [ r . in . database_id ] ) ;
2003-12-02 11:04:37 +03:00
}
} while ( NT_STATUS_EQUAL ( status , STATUS_MORE_ENTRIES ) ) ;
}
return ret ;
}
/*
try a netlogon DatabaseDeltas
*/
static BOOL test_DatabaseDeltas ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_DatabaseDeltas r ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-05-25 20:24:13 +04:00
const uint32_t database_ids [ ] = { 0 , 1 , 2 } ;
2003-12-02 11:04:37 +03:00
int i ;
BOOL ret = True ;
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
2003-12-02 11:04:37 +03:00
return False ;
}
2003-12-02 13:34:06 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2004-04-27 10:36:39 +04:00
r . in . computername = TEST_MACHINE_NAME ;
2004-05-25 20:24:13 +04:00
r . in . preferredmaximumlength = ( uint32_t ) - 1 ;
2003-12-02 11:04:37 +03:00
ZERO_STRUCT ( r . in . return_authenticator ) ;
for ( i = 0 ; i < ARRAY_SIZE ( database_ids ) ; i + + ) {
r . in . database_id = database_ids [ i ] ;
r . in . sequence_num = sequence_nums [ r . in . database_id ] ;
2004-04-09 11:51:03 +04:00
2004-05-25 17:57:39 +04:00
if ( r . in . sequence_num = = 0 ) continue ;
2004-04-09 11:51:03 +04:00
2004-05-25 17:57:39 +04:00
r . in . sequence_num - = 1 ;
2003-12-02 11:04:37 +03:00
2004-04-09 11:51:03 +04:00
2004-05-25 17:57:39 +04:00
printf ( " Testing DatabaseDeltas of id %d at %llu \n " ,
2005-09-16 11:10:11 +04:00
r . in . database_id , ( unsigned long long ) r . in . sequence_num ) ;
2003-12-02 11:04:37 +03:00
do {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 11:04:37 +03:00
status = dcerpc_netr_DatabaseDeltas ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) & &
! NT_STATUS_EQUAL ( status , STATUS_MORE_ENTRIES ) ) {
printf ( " DatabaseDeltas - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
break ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2003-12-02 11:04:37 +03:00
printf ( " Credential chaining failed \n " ) ;
}
2004-05-25 17:57:39 +04:00
r . in . sequence_num + + ;
2003-12-02 07:33:57 +03:00
} while ( NT_STATUS_EQUAL ( status , STATUS_MORE_ENTRIES ) ) ;
2003-12-02 06:06:21 +03:00
}
2003-12-02 07:33:57 +03:00
return ret ;
2003-12-02 06:06:21 +03:00
}
2003-12-02 12:52:15 +03:00
/*
try a netlogon AccountDeltas
*/
static BOOL test_AccountDeltas ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_AccountDeltas r ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2003-12-02 12:52:15 +03:00
BOOL ret = True ;
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
2003-12-02 12:52:15 +03:00
return False ;
}
2003-12-02 13:34:06 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2004-04-27 10:36:39 +04:00
r . in . computername = TEST_MACHINE_NAME ;
2003-12-02 12:52:15 +03:00
ZERO_STRUCT ( r . in . return_authenticator ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 12:52:15 +03:00
ZERO_STRUCT ( r . in . uas ) ;
r . in . count = 10 ;
r . in . level = 0 ;
r . in . buffersize = 100 ;
printf ( " Testing AccountDeltas \n " ) ;
/* w2k3 returns "NOT IMPLEMENTED" for this call */
status = dcerpc_netr_AccountDeltas ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_NOT_IMPLEMENTED ) ) {
printf ( " AccountDeltas - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
return ret ;
}
2003-12-02 13:04:10 +03:00
/*
try a netlogon AccountSync
*/
static BOOL test_AccountSync ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_AccountSync r ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2003-12-02 13:04:10 +03:00
BOOL ret = True ;
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials ( p , mem_ctx , TEST_MACHINE_NAME , machine_password , & creds ) ) {
2003-12-02 13:04:10 +03:00
return False ;
}
2003-12-02 13:34:06 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2004-04-27 10:36:39 +04:00
r . in . computername = TEST_MACHINE_NAME ;
2003-12-02 13:04:10 +03:00
ZERO_STRUCT ( r . in . return_authenticator ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 13:04:10 +03:00
ZERO_STRUCT ( r . in . recordid ) ;
r . in . reference = 0 ;
r . in . level = 0 ;
r . in . buffersize = 100 ;
printf ( " Testing AccountSync \n " ) ;
/* w2k3 returns "NOT IMPLEMENTED" for this call */
status = dcerpc_netr_AccountSync ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_NOT_IMPLEMENTED ) ) {
printf ( " AccountSync - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
return ret ;
}
2003-12-02 13:08:26 +03:00
/*
try a netlogon GetDcName
*/
static BOOL test_GetDcName ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_GetDcName r ;
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . domainname = lp_workgroup ( ) ;
printf ( " Testing GetDcName \n " ) ;
status = dcerpc_netr_GetDcName ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " GetDcName - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2003-12-02 13:34:06 +03:00
printf ( " \t DC is at '%s' \n " , r . out . dcname ) ;
return True ;
}
/*
try a netlogon LogonControl
*/
static BOOL test_LogonControl ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonControl r ;
BOOL ret = True ;
int i ;
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . function_code = 1 ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl level %d \n " , i ) ;
status = dcerpc_netr_LogonControl ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
return ret ;
}
/*
try a netlogon GetAnyDCName
*/
static BOOL test_GetAnyDCName ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_GetAnyDCName r ;
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . domainname = lp_workgroup ( ) ;
printf ( " Testing GetAnyDCName \n " ) ;
status = dcerpc_netr_GetAnyDCName ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " GetAnyDCName - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
if ( r . out . dcname ) {
printf ( " \t DC is at '%s' \n " , r . out . dcname ) ;
}
2003-12-02 13:08:26 +03:00
return True ;
}
2003-12-02 12:52:15 +03:00
2003-12-02 14:43:09 +03:00
/*
try a netlogon LogonControl2
*/
static BOOL test_LogonControl2 ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonControl2 r ;
BOOL ret = True ;
int i ;
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . function_code = NETLOGON_CONTROL_REDISCOVER ;
r . in . data . domain = lp_workgroup ( ) ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2 level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
r . in . function_code = NETLOGON_CONTROL_TC_QUERY ;
r . in . data . domain = lp_workgroup ( ) ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2 level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
r . in . function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY ;
r . in . data . domain = lp_workgroup ( ) ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2 level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
r . in . function_code = NETLOGON_CONTROL_SET_DBFLAG ;
r . in . data . debug_level = ~ 0 ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2 level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
return ret ;
}
2003-12-02 15:01:10 +03:00
/*
try a netlogon DatabaseSync2
*/
static BOOL test_DatabaseSync2 ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_DatabaseSync2 r ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-05-25 20:24:13 +04:00
const uint32_t database_ids [ ] = { 0 , 1 , 2 } ;
2003-12-02 15:01:10 +03:00
int i ;
BOOL ret = True ;
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials2 ( p , mem_ctx , NETLOGON_NEG_AUTH2_FLAGS ,
2005-01-09 10:39:31 +03:00
TEST_MACHINE_NAME , machine_password ,
SEC_CHAN_BDC , & creds ) ) {
2003-12-02 15:01:10 +03:00
return False ;
}
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2004-04-27 10:36:39 +04:00
r . in . computername = TEST_MACHINE_NAME ;
2004-05-25 20:24:13 +04:00
r . in . preferredmaximumlength = ( uint32_t ) - 1 ;
2003-12-02 15:01:10 +03:00
ZERO_STRUCT ( r . in . return_authenticator ) ;
for ( i = 0 ; i < ARRAY_SIZE ( database_ids ) ; i + + ) {
r . in . sync_context = 0 ;
r . in . database_id = database_ids [ i ] ;
r . in . restart_state = 0 ;
printf ( " Testing DatabaseSync2 of id %d \n " , r . in . database_id ) ;
do {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & r . in . credential ) ;
2003-12-02 15:01:10 +03:00
status = dcerpc_netr_DatabaseSync2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) & &
! NT_STATUS_EQUAL ( status , STATUS_MORE_ENTRIES ) ) {
printf ( " DatabaseSync2 - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
break ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & r . out . return_authenticator . cred ) ) {
2003-12-02 15:01:10 +03:00
printf ( " Credential chaining failed \n " ) ;
}
r . in . sync_context = r . out . sync_context ;
} while ( NT_STATUS_EQUAL ( status , STATUS_MORE_ENTRIES ) ) ;
}
return ret ;
}
2003-12-02 15:16:08 +03:00
/*
try a netlogon LogonControl2Ex
*/
static BOOL test_LogonControl2Ex ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonControl2Ex r ;
BOOL ret = True ;
int i ;
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . function_code = NETLOGON_CONTROL_REDISCOVER ;
r . in . data . domain = lp_workgroup ( ) ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2Ex level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2Ex ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
r . in . function_code = NETLOGON_CONTROL_TC_QUERY ;
r . in . data . domain = lp_workgroup ( ) ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2Ex level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2Ex ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
r . in . function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY ;
r . in . data . domain = lp_workgroup ( ) ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2Ex level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2Ex ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
r . in . function_code = NETLOGON_CONTROL_SET_DBFLAG ;
r . in . data . debug_level = ~ 0 ;
for ( i = 1 ; i < 4 ; i + + ) {
r . in . level = i ;
printf ( " Testing LogonControl2Ex level %d function %d \n " ,
i , r . in . function_code ) ;
status = dcerpc_netr_LogonControl2Ex ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonControl - %s \n " , nt_errstr ( status ) ) ;
ret = False ;
}
}
return ret ;
}
2004-05-28 17:23:30 +04:00
/*
try a netlogon netr_DsrEnumerateDomainTrusts
*/
static BOOL test_DsrEnumerateDomainTrusts ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_DsrEnumerateDomainTrusts r ;
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . trust_flags = 0x3f ;
printf ( " Testing netr_DsrEnumerateDomainTrusts \n " ) ;
status = dcerpc_netr_DsrEnumerateDomainTrusts ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) | | ! W_ERROR_IS_OK ( r . out . result ) ) {
printf ( " netr_DsrEnumerateDomainTrusts - %s/%s \n " ,
nt_errstr ( status ) , win_errstr ( r . out . result ) ) ;
return False ;
}
return True ;
}
2004-11-22 20:14:57 +03:00
/*
try a netlogon netr_DrsGetDCNameEx2
*/
static BOOL test_netr_DrsGetDCNameEx2 ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_DrsGetDCNameEx2 r ;
BOOL ret = True ;
r . in . server_unc = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . client_account = NULL ;
r . in . mask = 0x00000000 ;
r . in . domain_name = talloc_asprintf ( mem_ctx , " %s " , lp_realm ( ) ) ;
r . in . domain_guid = NULL ;
r . in . site_name = NULL ;
r . in . flags = 0x40000000 ;
printf ( " Testing netr_DrsGetDCNameEx2 without client account \n " ) ;
status = dcerpc_netr_DrsGetDCNameEx2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) | | ! W_ERROR_IS_OK ( r . out . result ) ) {
printf ( " netr_DrsGetDCNameEx2 - %s/%s \n " ,
nt_errstr ( status ) , win_errstr ( r . out . result ) ) ;
ret = False ;
}
printf ( " Testing netr_DrsGetDCNameEx2 with client acount \n " ) ;
r . in . client_account = TEST_MACHINE_NAME " $ " ;
r . in . mask = 0x00002000 ;
r . in . flags = 0x80000000 ;
status = dcerpc_netr_DrsGetDCNameEx2 ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) | | ! W_ERROR_IS_OK ( r . out . result ) ) {
printf ( " netr_DrsGetDCNameEx2 - %s/%s \n " ,
nt_errstr ( status ) , win_errstr ( r . out . result ) ) ;
ret = False ;
}
return ret ;
}
2004-05-28 17:23:30 +04:00
2004-06-14 12:15:31 +04:00
static BOOL test_GetDomainInfo ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonGetDomainInfo r ;
struct netr_DomainQuery1 q1 ;
struct netr_Authenticator a ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
2004-06-14 12:15:31 +04:00
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials3 ( p , mem_ctx , NETLOGON_NEG_AUTH2_ADS_FLAGS ,
TEST_MACHINE_NAME , machine_password , & creds ) ) {
2004-06-14 12:15:31 +04:00
return False ;
}
ZERO_STRUCT ( r ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & a ) ;
2004-06-14 12:15:31 +04:00
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . computer_name = TEST_MACHINE_NAME ;
r . in . level = 1 ;
r . in . credential = & a ;
2005-01-29 07:02:13 +03:00
r . in . return_authenticator = & a ;
r . out . return_authenticator = & a ;
2004-06-14 12:15:31 +04:00
r . in . query . query1 = & q1 ;
ZERO_STRUCT ( q1 ) ;
/* this should really be the fully qualified name */
q1 . workstation_domain = TEST_MACHINE_NAME ;
q1 . workstation_site = " Default-First-Site-Name " ;
q1 . blob2 . length = 0 ;
q1 . blob2 . size = 0 ;
q1 . blob2 . data = NULL ;
q1 . product . string = " product string " ;
printf ( " Testing netr_LogonGetDomainInfo \n " ) ;
status = dcerpc_netr_LogonGetDomainInfo ( p , mem_ctx , & r ) ;
2004-06-15 07:53:21 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " netr_LogonGetDomainInfo - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2004-06-14 12:15:31 +04:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds , & a . cred ) ) {
2004-06-14 12:15:31 +04:00
printf ( " Credential chaining failed \n " ) ;
2004-06-15 07:53:21 +04:00
return False ;
2004-06-14 12:15:31 +04:00
}
return True ;
}
2004-09-02 16:03:16 +04:00
static void async_callback ( struct rpc_request * req )
{
int * counter = req - > async . private ;
if ( NT_STATUS_IS_OK ( req - > status ) ) {
( * counter ) + + ;
}
}
2004-09-02 15:06:23 +04:00
static BOOL test_GetDomainInfo_async ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct netr_LogonGetDomainInfo r ;
struct netr_DomainQuery1 q1 ;
struct netr_Authenticator a ;
# define ASYNC_COUNT 100
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct creds_CredentialState * creds ;
struct creds_CredentialState * creds_async [ ASYNC_COUNT ] ;
2004-09-02 15:06:23 +04:00
struct rpc_request * req [ ASYNC_COUNT ] ;
int i ;
2005-01-27 10:08:20 +03:00
int * async_counter = talloc ( mem_ctx , int ) ;
2005-01-06 12:26:14 +03:00
if ( ! lp_parm_bool ( - 1 , " torture " , " dangerous " , False ) ) {
printf ( " test_GetDomainInfo_async disabled - enable dangerous tests to use \n " ) ;
return True ;
}
2004-09-02 15:06:23 +04:00
2004-11-11 07:32:01 +03:00
if ( ! test_SetupCredentials3 ( p , mem_ctx , NETLOGON_NEG_AUTH2_ADS_FLAGS ,
TEST_MACHINE_NAME , machine_password , & creds ) ) {
2004-09-02 15:06:23 +04:00
return False ;
}
ZERO_STRUCT ( r ) ;
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . computer_name = TEST_MACHINE_NAME ;
r . in . level = 1 ;
r . in . credential = & a ;
2005-01-29 07:02:13 +03:00
r . in . return_authenticator = & a ;
r . out . return_authenticator = & a ;
2004-09-02 15:06:23 +04:00
r . in . query . query1 = & q1 ;
ZERO_STRUCT ( q1 ) ;
/* this should really be the fully qualified name */
q1 . workstation_domain = TEST_MACHINE_NAME ;
q1 . workstation_site = " Default-First-Site-Name " ;
q1 . blob2 . length = 0 ;
q1 . blob2 . size = 0 ;
q1 . blob2 . data = NULL ;
q1 . product . string = " product string " ;
printf ( " Testing netr_LogonGetDomainInfo - async count %d \n " , ASYNC_COUNT ) ;
2005-01-06 12:26:14 +03:00
* async_counter = 0 ;
2004-09-02 15:06:23 +04:00
for ( i = 0 ; i < ASYNC_COUNT ; i + + ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_client_authenticator ( creds , & a ) ;
2004-09-02 15:06:23 +04:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
creds_async [ i ] = talloc_memdup ( creds , creds , sizeof ( * creds ) ) ;
2004-09-02 15:06:23 +04:00
req [ i ] = dcerpc_netr_LogonGetDomainInfo_send ( p , mem_ctx , & r ) ;
2004-09-02 16:03:16 +04:00
req [ i ] - > async . callback = async_callback ;
2005-01-06 12:26:14 +03:00
req [ i ] - > async . private = async_counter ;
2004-09-02 16:03:16 +04:00
/* even with this flush per request a w2k3 server seems to
clag with multiple outstanding requests . bleergh . */
2004-09-20 14:40:11 +04:00
if ( event_loop_once ( dcerpc_event_context ( p ) ) ! = 0 ) {
return False ;
}
2004-09-02 15:06:23 +04:00
}
for ( i = 0 ; i < ASYNC_COUNT ; i + + ) {
status = dcerpc_ndr_request_recv ( req [ i ] ) ;
if ( ! NT_STATUS_IS_OK ( status ) | | ! NT_STATUS_IS_OK ( r . out . result ) ) {
printf ( " netr_LogonGetDomainInfo_async(%d) - %s/%s \n " ,
i , nt_errstr ( status ) , nt_errstr ( r . out . result ) ) ;
2004-09-02 16:03:16 +04:00
break ;
2004-09-02 15:06:23 +04:00
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! creds_client_check ( creds_async [ i ] , & a . cred ) ) {
2004-09-02 15:06:23 +04:00
printf ( " Credential chaining failed at async %d \n " , i ) ;
2004-09-02 16:03:16 +04:00
break ;
2004-09-02 15:06:23 +04:00
}
}
2005-01-06 12:26:14 +03:00
printf ( " Testing netr_LogonGetDomainInfo - async count %d OK \n " , * async_counter ) ;
2004-09-02 15:06:23 +04:00
2005-01-06 12:26:14 +03:00
return ( * async_counter ) = = ASYNC_COUNT ;
2004-09-02 15:06:23 +04:00
}
2005-01-07 21:13:53 +03:00
static BOOL test_ManyGetDCName ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct dcerpc_binding * b ;
2005-01-07 21:13:53 +03:00
struct dcerpc_pipe * p2 ;
struct lsa_ObjectAttribute attr ;
struct lsa_QosInfo qos ;
struct lsa_OpenPolicy2 o ;
struct policy_handle lsa_handle ;
struct lsa_DomainList domains ;
struct lsa_EnumTrustDom t ;
uint32_t resume_handle = 0 ;
struct netr_GetAnyDCName d ;
int i ;
BOOL ret = True ;
2005-01-09 11:34:05 +03:00
if ( p - > conn - > transport . transport ! = NCACN_NP ) {
2005-01-07 21:13:53 +03:00
return True ;
}
printf ( " Torturing GetDCName \n " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
status = dcerpc_parse_binding ( mem_ctx , p - > conn - > binding_string , & b ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to parse dcerpc binding '%s' \n " , p - > conn - > binding_string ) ;
return False ;
}
status = dcerpc_secondary_connection ( p , & p2 , b ) ;
2005-01-07 21:13:53 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to create secondary connection \n " ) ;
return False ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
status = dcerpc_bind_auth_none ( p2 , DCERPC_LSARPC_UUID ,
DCERPC_LSARPC_VERSION ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to create bind on secondary connection \n " ) ;
return False ;
}
2005-01-07 21:13:53 +03:00
qos . len = 0 ;
qos . impersonation_level = 2 ;
qos . context_mode = 1 ;
qos . effective_only = 0 ;
attr . len = 0 ;
attr . root_dir = NULL ;
attr . object_name = NULL ;
attr . attributes = 0 ;
attr . sec_desc = NULL ;
attr . sec_qos = & qos ;
o . in . system_name = " \\ " ;
o . in . attr = & attr ;
o . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
o . out . handle = & lsa_handle ;
status = dcerpc_lsa_OpenPolicy2 ( p2 , mem_ctx , & o ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " OpenPolicy2 failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
t . in . handle = & lsa_handle ;
t . in . resume_handle = & resume_handle ;
2005-01-12 13:25:44 +03:00
t . in . max_size = 1000 ;
2005-01-07 21:13:53 +03:00
t . out . domains = & domains ;
t . out . resume_handle = & resume_handle ;
status = dcerpc_lsa_EnumTrustDom ( p2 , mem_ctx , & t ) ;
if ( ( ! NT_STATUS_IS_OK ( status ) & &
( ! NT_STATUS_EQUAL ( status , NT_STATUS_NO_MORE_ENTRIES ) ) ) ) {
printf ( " Could not list domains \n " ) ;
return False ;
}
2005-03-22 11:00:45 +03:00
talloc_free ( p2 ) ;
2005-01-07 21:13:53 +03:00
d . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " ,
dcerpc_server_name ( p ) ) ;
for ( i = 0 ; i < domains . count * 4 ; i + + ) {
struct lsa_DomainInformation * info =
& domains . domains [ rand ( ) % domains . count ] ;
d . in . domainname = info - > name . string ;
status = dcerpc_netr_GetAnyDCName ( p , mem_ctx , & d ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " GetAnyDCName - %s \n " , nt_errstr ( status ) ) ;
continue ;
}
printf ( " \t DC for domain %s is %s \n " , info - > name . string ,
d . out . dcname ? d . out . dcname : " unknown " ) ;
}
return ret ;
}
2004-09-02 15:06:23 +04:00
2004-10-28 17:40:50 +04:00
BOOL torture_rpc_netlogon ( void )
2003-12-01 04:41:38 +03:00
{
NTSTATUS status ;
struct dcerpc_pipe * p ;
TALLOC_CTX * mem_ctx ;
BOOL ret = True ;
2004-11-12 02:24:30 +03:00
struct test_join * join_ctx ;
2005-10-04 03:46:21 +04:00
struct cli_credentials * machine_credentials ;
2003-12-01 04:41:38 +03:00
mem_ctx = talloc_init ( " torture_rpc_netlogon " ) ;
2005-09-25 16:26:07 +04:00
join_ctx = torture_join_domain ( TEST_MACHINE_NAME , ACB_SVRTRUST ,
2005-10-04 03:46:21 +04:00
& machine_credentials ) ;
2004-06-06 11:14:10 +04:00
if ( ! join_ctx ) {
2005-03-22 11:00:45 +03:00
talloc_free ( mem_ctx ) ;
2004-04-27 10:36:39 +04:00
printf ( " Failed to join as BDC \n " ) ;
return False ;
}
2005-10-04 03:46:21 +04:00
machine_password = cli_credentials_get_password ( machine_credentials ) ;
2005-03-22 11:00:45 +03:00
status = torture_rpc_connection ( mem_ctx , & p ,
2003-12-01 04:41:38 +03:00
DCERPC_NETLOGON_NAME ,
DCERPC_NETLOGON_UUID ,
DCERPC_NETLOGON_VERSION ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-22 11:00:45 +03:00
talloc_free ( mem_ctx ) ;
2003-12-01 04:41:38 +03:00
return False ;
}
2005-01-06 12:26:14 +03:00
ret & = test_LogonUasLogon ( p , mem_ctx ) ;
ret & = test_LogonUasLogoff ( p , mem_ctx ) ;
2005-10-26 09:56:44 +04:00
ret & = test_SamLogon ( p , mem_ctx , machine_credentials ) ;
2005-01-06 12:26:14 +03:00
ret & = test_SetPassword ( p , mem_ctx ) ;
2005-01-12 10:22:34 +03:00
ret & = test_SetPassword2 ( p , mem_ctx ) ;
2005-01-06 12:26:14 +03:00
ret & = test_GetDomainInfo ( p , mem_ctx ) ;
ret & = test_DatabaseSync ( p , mem_ctx ) ;
ret & = test_DatabaseDeltas ( p , mem_ctx ) ;
ret & = test_AccountDeltas ( p , mem_ctx ) ;
ret & = test_AccountSync ( p , mem_ctx ) ;
ret & = test_GetDcName ( p , mem_ctx ) ;
2005-01-07 21:13:53 +03:00
ret & = test_ManyGetDCName ( p , mem_ctx ) ;
2005-01-06 12:26:14 +03:00
ret & = test_LogonControl ( p , mem_ctx ) ;
ret & = test_GetAnyDCName ( p , mem_ctx ) ;
ret & = test_LogonControl2 ( p , mem_ctx ) ;
ret & = test_DatabaseSync2 ( p , mem_ctx ) ;
ret & = test_LogonControl2Ex ( p , mem_ctx ) ;
ret & = test_DsrEnumerateDomainTrusts ( p , mem_ctx ) ;
ret & = test_GetDomainInfo_async ( p , mem_ctx ) ;
ret & = test_netr_DrsGetDCNameEx2 ( p , mem_ctx ) ;
2004-11-22 20:14:57 +03:00
2005-01-27 10:08:20 +03:00
talloc_free ( mem_ctx ) ;
2004-08-04 11:44:14 +04:00
2004-06-06 11:14:10 +04:00
torture_leave_domain ( join_ctx ) ;
2004-04-27 10:36:39 +04:00
2003-12-01 04:41:38 +03:00
return ret ;
}